Aaron Li: 1Wallet & Social NFT
🍠

Aaron Li: 1Wallet & Social NFT

Here are Aaron's timesheet, peer bonus, deliverables and bio. He is currently at Pacific Time UTC-7, Palo Alto, CA.

Timesheet & Peer Bonus (with giv.one)

DateHoursTagsArtifactsFeedback
354.5

(...many weeks passed. see open dev log)

1.2

Token and NFT experimentation and debugging; Client API implentation for token operation

11

Research on daVinci market; Client: ERC20 grid; Token assets manager; Unified token key compute utility; In-browser IPFS retrieval analysis and benchmark; Client API initialization for token contracts and metadata, and API implementations for metadata retrieval and balance checking for token and NFT contracts; Refactor and modularization of client wallet components; Smart contract support for Override-Track capability; Smart contract optimization for universal deployability (<24K); Smart contract multi-track capability; Client side state management (reducer, saga, actions) for tracking tokens, token balances, and currently selected tokens; Direct support for well known ERC-20 tokens; Infrastructure support for tokens with custom decimal settings; Unifty bn.js dependecy; Multi-network support for token operations and views; Token operation hash and commit hash utilities, and debugging; Auto chaining and auto refresh token balance after commit-reveal flow; Support sending tokens; fix bugs related to reveal token operations; Distinguished UI for sending tokens (re-used from sending ONEs); Various bug fixes; Complete flow demo + verification;

11.2

NFT Grid, support for both ERC721 and ERC1155, share same underlying token abstraction with ERC20; Support image, animation, and metadata rendering; NFT details toggle; Responsive grid; End-to-end debugging and testing for tokens; Upgrade versions and warning messages for older clients; v0.3 release; Separate view and filtering for ERC20 and NFT grids; Support sending NFT through existing transfer UI;

1

OTP Input and Refocus code review + revision + bug fixes; Provide feedback; Fix missing name issue for some ERC721 tokens

6.1

Address critical security vulnerabilities with commit-reveal (#47); Constant-time commit lookup (#3, #4); Implement suggested contract optimizations in Common Prefix preliminary report (immutable variables, unchecked arithmetics); Added NatSpec compliant comments in contract code; Fix an issue with incorrect key computation of tracked tokens; Unify all reveal operations into a single function with different operation types;

299.5

(many weeks passed, content omitted. see open dev log)

2

Address user experience issues reported by Boris; Special processing for displaying Harmony Punk; Always show full address and address-tools on header section in desktop view

0.5

Support for video NFT

1

Scripts for listing 1wallet deployment transactions and inferring their addresses

1.5

Miscellaneous fixes (HTTPS certificate, protobuf generation; context menu of onboarding QR code upon tapping); Experimentations on non-standard Google Authenticator settings; Binance withdrawal issue (#127) investigation, reproduction, discussion (9:30pm)

0.5

Review of Red Packet admin tool proposal, elaboration on NFT metadata and TODO for red packet NFT, and IPFS

1

More special handling on HarmonyPunk (#128)

1

Resolve miscellaneous address issue (#130) Further discussion with Binance on withdrawal issue; Relayer: deploy new library contracts only when necessary; NFT: get header only when necessary;

5.5

Release v0.11.1; Make Swap available to all; Limit contract call operation to respect spending limit; Remove extraneous warnings; Make swap obey spending limit; Fix bug in Wallet Graph library that causes command operations always to fail; Make commit-reveal pace faster; Hide double OTP by default; Added expert mode, which allows the user to use double OTP and freely adjust spending limit

1

Fix a bug that prevents automatically transfer of tokens upon upgrade (#133)

3

Red packet design and analysis of alternatives; Complete, detailed implementation and design proposal for red packet; Discussions and open questions

6

Extending daily limit to spending limit and spending interval; Smart contract library: SpendingManager; Refactor wallet smart contract and upgrade constructor and getters to be more compact and informative; Analyze Harmony Java SDK and resolve Binance withdrawal issue

4.5

Release v0.12.1; Make all existing components work with spending limit and newly refactored wallet smart contract interfaces (core library, relayer, api, Send, Swap, About, and various other modules)

2.5

Red packet: Gift tab in wallet; Simplify onboarding messages; Make onboarding QR code intuitive for tapping; Substantially simplify onboarding messages; Added paste-from-authenticator button for mobile view;

1.5

(Continued)

7

(Continued) First functional red packet creation, end-to-end; Fix issue with not showing commit-reveal progress correctly whie sending tokens; Fix issues with address labels; Make several critical modules shared, exported components; Fix several library bugs (multi-call encoding, etc.)

5

(Continued) and research and experiment on Android Google Authenticator issue (#136); Discussions; Refine red packet implementation, flow and debugging

8

Unwrapping red packet: end-to-end, debugging, and live testing; Smart contract upgrade on nonce and operation time exposure; Various reusable frontend infrastructure component for NFT tracking, display, and management

6.5

Fix Android failure to scan QR code issue; Automatically cleans up invalid or expired temporary wallets; Enable wallet to display a QR code of its address recognizable by 1wallet QR code scan and general camera scan; Intelligent camera selection for all scanning and mobile support; Enable 1wallet to scan QR code and recognize various formats and intents; Simplify prompt and process to save address for new user onboarding; Added a default, not-owned NFT so new user can experience collectibles; Review and revise haolin's work on QR code image upload; Fit and organize all new features; Various high priority miscellaneous user experience issues

1.5

Fix QR code scanning error message spamming issue; Added support for scanning red packet QR code; Finalize wallet restore entirely on mobile and making video tutorial; Various discussions, debugging with online users who had issues and those reported at the offline event

4

Allow advanced settings for red packet (custome message, random factor); Measures to reduce errors from claiming red packet, and show urgency; Relayer error analytics and report; Diagnosis and deep parsing of errors reported by people at offline event

1

Tests, research, and analysis on various browsers and incognito modes

2.5

Fix issue #147, #148 (error on restore when local double otp state is inconsistent)

3

(Continued) and fix the underlying cause of the inconsistent state, ensure double otp to work properly in future versions, and add fallback compatibility / auto-fix for restoring older, inconsitent versions

1

Offline event feedback review and analysis; debugging

0.5

Debugging; fix a bug which may cause wallet listing screen to run into infinite loop

1

Assist on #149, #150, research on #151 and 1:1 integration guidance following #149

1.5

Allow integrations to make binary calls directly via hex data

1

DEX and hackathon integration assistance; Fix a bug where integration calls with zero send-amount would not function;

2.5

Gnosis integration debugging; Diagnose issues with Jenya arising from local inconsistent state and old wallet version as part of Gnosis integration;

2.5

Safeguards and tests against using incompatible wallet versions for integrations

6.5

Track and untrack tokens, NFTs; Direct integration with daVinci and customization based on its unique IPFS, API, and file formats; Mobile view

3.5

(Continued); Released v0.12.4

1

Fix issues that may cause inconsistent state; Diagnosis and debug with Jenya

1

Gnosis integration finalization with Jenya and demo

0.5

daVinci NFT purchase IPFS issue further research and adding materials for loading state

0.5

Gnosis safe integration debugging on multiple environments; Analysis of causes for wallets gone missing

3

Support Aegis authenticator (#151, #157); Debugging wallet gone missing and bugs in purge routine; Use simple create flow in side menu; Tolerate 30 delay of OTP code;

5.5

List top 9 ERC-20 assets in wallet home screen (#158); Simplified app-call flow (#159); verify callback domain and whitelist contract and methods (#159); call data decode utility (#159); Hide temporary wallets for app connect. Test and debug Gnosis Safe integrations

2

Ability to inspect old wallets; Improve wallet About screen; improve Sentry event capturing; Debug IPFS issues and improve NFT visualization robustness

8

Ability to reclaim domain and tokens from old wallet, debug and testing; Sensisble layout and interactions on wallet about screen; Unify row components; Fix bug with wallet purge to prevent purging partial proofs which are still used by at least one wallet; NFT gateway and display stablity debugging; Reclaim reverse domain

3

Release v13 (#160); Release notes; Simplify OTP confirmation flow; auto-verify domain in both directions; Fully functional Inspect and Reclaim features

1

Fix upgrade OTP confirmation bug; Auto copy on address format switching; Mobile friendly wallet title; Auto-spawn temporary old wallets during app-call if needed; Store old wallets in state persistently; 4s retry interval; favicon; Simplified, minimal call screen

3

(Continued)

1

Timeless integration and 1wallet library sync

3

Generalized method for contract and method verification during app call; Tools for add Harmony protocol in MetaMask and to open Harmony Safe; Issue #161

1.5

Gnosis Safe code review, development tracking, security analysis, and identify potential backdoors

1.5

(Continued)

2

(Continued)

6

Even mapping extraction scripts; Issue #161, cumulative analysis and debugging; Debugging and fix issues with using old wallets; Dev state dump tool; Remove recovery on recover screen when recovery address is not set; Fix infinite loop on connect; Fix NFT tracking on mobile; Gnosis Safe integration contract interaction debugging and tests

4

Gnosis Safe SushiSwap Transaction encoder tool; Functional Gnosis Safe SushiSwap end-to-end flow; Improve Swap mobile experience; disable mobile autozoom; add paste button on mobile OTP input; fix global usage stats overflow (use abbreviation); always show address options on wallet title; Hex options on wallet address components; allow displaying and choosing old wallet address and hex addresses in app connect screen

3

(Continued)

0.5

General integration advice and debugging and resolving Timeless address conversion issues in Python and Swift

0.5

Tools with individual URLs and guides; Investigation, analysis, and guidance for issues encountered by Harmony DAO grant recipients; Issues #165, #164; expert mode support for grant recipients

2

Wallet as Safari extension (macOS 12 / iOS 15) debugging, build, research, analysis, and experiments

4

Trustless bridge review; Review and feedback to security risk raised by Shshank (re: forging commit); Issue #164

4

(Continued) and address issue #166

1

Sync with Harmony team re: domain services and use cases

1.5

Transack integration review and application (#155); Analysis, planning, and feedback to Timeless regarding fiat integration and Apple Pay

0.5

Analyze and fix QR code compatibility issue (Haodi) and Google Authenticator version history

1.5

Sync with Transack. Preparation on Transak integration. Plan and acquire resources needed to enable ONE / USD purcahse; Sync with Timeless on fiat integration

2

Trustless bridge script code review and analysis

5

Trustless bridge contract code review, analysis, feedback; Comparison with trusted bridge implementations

5.5

Sync and feedback on Timeless Wallet integration technical issues; Implement fixes for issue #166 and the underlying issues (identifying post-recovery wallets, prevent infinite loop, show warnings, etc.)

2.5

Re-work notifications; Commit-Reveal progress experience improvement; Mobile experience improvement. Warning for sending to custody-wallet addresses; More #116

0.5

Cache global usage stats on client side; Resolve stats count issue (#162)

5

Transact integration implementation, testing, bug analysis and sync; End-to-end staging and production tests

4

Milestones, progress and development summaries, planning, public pages, and research on various issues (fiat, Apple Pay, library integration, NFT)

3

Ethereum trustless bridge audit: code and design review (EthereumProvder, Harmony Prover, Merkle Patricia Tree inclusion and exclusion tests, alternative MPT implementation, javascript invocations and example usage, analysis on fork resistance)

5

(Continued); Timeless integration and 1wallet library customizations

1

Ethereum trustless bridge audit: more analysis on correctness of MPT membership test implementation in libraries

4

(Continued) Merkle Mountain Range related implementations review and analysis

4

(Continued) and all remaining components and libraries except ethash. Analysis on TokenLockerOnHarmony and concern over lack of MMR

1

Timeless integration: analysis of onboarding issues, suggestions, tentative solutions and improvements

2

Analysis, proposals, and planning for wallet renewal (#171), predictable address (#172), and 1wallet light client (#174)

6

v14 WIP: core replacement logics, new reveal libraries, refacotring contracts to conform size limits, simplifying codes, testing; Timeless integration discussions on upgrade, review of alternative approaches in other projects, and discussion of various integration issues

6

(Continued) Batch operation support; Relayer upgrade for contract caching, better logging for requests, backoff-retry initialization,

6

Minimal wallet setup components; Extend wallet frontend infrastructure;

5

Recovery expiration checks; Recovery frontend bug fixes; 1wallet DAO change; Extend frontend infrastructure, core library hash utilities

3

(Continued) Extend operation implementation and testing

6

(Continued) Revamp Extend infrastructure; Script utilities for event and topic hashing; Core API for retrieving old cores; Root management utility and deletion utlities; useWallet and various common components; Contract revamp to allow authentication against old cores (old authenticator roots and times); Firelayerinitialization on Ganache; Wallet expiration checks; Wallet root checks and multi-device check

7

(Continued) Core library: support loading old roots; Experiments on validating new root and old root belong to same seed

3

(Continued) Self-code review and address review comments; Fix bugs in new reveal mechanism on multi-core authentication and recovery authentication;

2

Revamp upgrade messaging and experience

2

Fiat on ramp refacotring and customized currency selector; Allow skip upgrade version and fix layout bugs

2

Planning, updates, implementation proposals and analysis, and milestones (#189, #190, #191)

1

(Continued)

1.5

Using Harmony Safe with 1wallet: create, deposit, and swap tutorials; ETH bridge report discussion; BTC bridge initial review; Unstoppable domain initial review

7.5

Predictable address, 1wallet deployment factory, (#172) research on proxy upgrade (#189); Bug fix: recovered wallet is stuck in wallet list

5

(Continued)

8

(Continued) and analysis on upgrade mechanism and future directions #189

6.5

(Continued) and factory helper, identification hash mechanism for permanent recovery capability, ecrecover on identification hash on contract; major refactoring and structure optimization of contracts

5

Recovery and Version libraries; Bolster TokenTracker library; Reduce main contract size by 40%; Improve ENS domain and subdomain libraries; Optimize WalletGraph

3

Core structure enhancement; Setting up inner cores at initialization; Authentication logics against inner cores; Two levels of daily limit adjustment functionalities; Detailed description of design and variable purposes in comments; Relayer new formats for creating new wallets; More efficient commit and reveal from relayer

6

(Continued)

4

Core: make OTP seed dual purpose (also serves as private keys), re-work identification hash to comform with public key formats; Completely reworked relayer initialization code;

5.5

(Continued) fix several issues with factory and deployer helper; fix issues with relayer deployment using factory;

5

Core library: efficiently building merkle tree with inner cores; inner tree generations; interlaced sha256 hasher

5

Make all core tests work again; Make new test utils for common procedures (creation, tree generation); Improve tests; Improve core libraries and fix bugs introduced by inner cores

5

Make most tests use test utils; Factory tests; Make tests use factory; Add more encoder, decoder, and utils in tests

4

(Continued) and fix bugs in recovery using inner cores

2

Core construction utilities; refactoring tests

3

Improved test flow; commit-reveal utilities for larger scale tests; inner core tests; Make tests use salted creation procedure, run deterministically, using separate creation seeds

6

(Continued) fix core displacement contract bug; pass most significant inner core related tests (core displacement); add null operation parameters and update various other constants;

2

Pass additional tests for post-core-replacement operations and transfers

6

Spend limit tests; Various hash computation utilities in core lib; Relayer default spend limit values; Contract: categorize reveal hash compute functions

7

Client: adapt to new creation flow, compute inner cores in workers, and store appropriately; Optimize inner core tree heigh; Allow relayer to be more adaptive to arguments; Experiment and reduce wallet creation duration

1

Status review and updates

3

1wallet presentations and summary

3

1wallet short presentation

1.5

(continued) presentation appendix

2

(continued) talk preparation

2.5

More wallet restoration methods

2

Review, debug, and test address book changes (#200) and persistent store and synchronization improvements (#199) 

1

(Continued)

1

Review and debug an issue with swap such that estimate may be off and swap may fail for some pairs (#204)

1.5

Initial review of staking dashboard code for security issues

5

Fix liquidity, estimation, execution, and errror handling issues with Swap

3.5

Review of Chrome Extension Wallet code for vulnerability and further review of staking dashboard

3

Presentation preparation and rehearsal

1

Review staking dashboard code injection issues and identify possible places of injection

12

(Continued) Wallet restoration proto definition; Better restoration guide; Embed predicted address in QR code during creation; OtpSuperStack component; Core library that supports v15 core construction and computing restoration eotp; State management with cache; Component implementation for restoration by 6x6 codes and recovery file handling

7

(Continued)

4

State persistence final review and debugging (#199); Export feature review, debugging, and improvements (#202)

2

State refactoring review and conflict resolution (#209); Further state refactoring cleanup and improvements

6

(Continued) Bug fixes with core apis with respect to v15 changes; Cache creation code per network; Fix relayer parameters with respect to gas usage to accommodate higher gas consumption in v15; Fix potential errors of component rendering in case of network or wallet errors; Rewrite restoration option messaging and layouts

1.5

Review and testing of state refactory part 2 (#212)

8

Customizable RPC endpoints in client; env sample; Fix fallback values in new persistence state layout; Build thief hunter - tools for batch scanning websites that potentially interacts with Harmpny Chrome Extension Wallet; Config the tool and acquire initial scanning results for all validator's websites on mainnet and testnet; Analysis

4

refine wallet proto; separate restorebyscan component; refine syncrecoveryfile; refine recovery pages and restore pages

2

Test and fix various issues with Restore: using recovery file, local import, and some compile issues; Review QR code scanner hotfix (#223)

6

InnerCore tests with snapshots; Fix bug with core construction util; innerCore retrival from contract; RPC config through env; Fix issues with wallet proto; Local export wallet with name; Fix initialization issue in OTPSuperStack; Fix focus issue with OTPStack; Fix various update and functional issues with restore-by-code, sync recovery file, and setting up new code while restoring; Recompile contracts; utilities for retrieving and processing core s ettings from blockchain

2

(Continued)

3

EOTPBuilder for encoding multiple OTPs; Exposure of util API in browser; Fix unsynced component data in restore-by-code and set-up-new-code flow, and exception handling; Testing and debugging the flows; Handling local layer storage after the flows

3.5

Properly auto destroy workers; Auto-cleanup unused inner trees; Override versions in API calls during restore; Add ability to override versions in core libraries during commit and reveal; Debugging notifications for expected OTP, restore process, and other critical steps; Testing and debugging all restore methods

1.5

Continued testing and debugging, and fixing restore issues; Fully function restore-by-code, end-to-end

1.5

3

Use two-word names and a simple timestamp for wallet names everywhere; Display creation QR code using timestamped wallet name; Restore explanation update; Properly handle wallet names without timestamps and use wallet names with timestamps to guide user selecting the right auth code to use

9

Auto-load identificationKey from blockchain for wallet initializations; Update core API and instantly initialize all contract instances without Truffle verification; Add more debugging messages in commit-reveal flow; Add debug method in message interface; Adjust camera scan delay;fix a bug where deleteRoot is not deleting tree from storage; added cleanStorage util; Call cleanStorage on wallet list init; fixed a bug where wallets might not be initialized before purging; Use WalletCreateProgress to highlight in-progress stage for wallet creation; Improving guides for Google Authenticator export guide; Show proper wallet names for info pops; Allow workers to build inner trees and add such an option; Use identificationKeys to identify tree to use in core commmit-reveal flow; Make RestoreByScan fully functional; Store localIdentificationKey in RestoreByCodes

4

(Continued) use .recovery1wallet for recovery files; Use localIdentificationKey to find the right layers to export in local export and import; use new wallet proto in import/export; uniformly use uint8array for secrets/seed; core: use backward compatible init counter value; duplicate seed arraybuffer on processOtpSeed; 

2.5

Review #219, #225, #226; Resolve merge conflict; Fix wallet auto-migration; Use new wallet persistent state layout for restore; auto migrate global state; Cleanup secret-leaking debug message; 

6

Review #224; terminate random worker on unload; more consistent getWallet return value format; add versioning comments for api create; contract: allow DISPLACE to occur with single core when innerCores are unavailable; move contract-code acquisition to routes; set gas limit for factories; Make Upgrade component compatible with v15; 

4

(Continued)

5

Review #222 (event notifications), #227 (lazy load); Restore: filter id keys for only ecdsa public keys; remove hardcoded addresses for deploy; core flow: separate out deriveEOTP and related functions for external use; relayer: log address of newly deployed lib; Fix event notification messages; 

7

ZKU - dark forest assignment research, design, writeup, and validation of feasibility

2

(Continued)

2

Chrome Extension Wallet emergency response and forensic analysis to crosschain movement of funds; Analysis of victim profiles (W, T, R, S, A)

6

Hacker transaction pattern analysis, Tornado Cash transaction review and tracing; Slowmist engagement and briefing; Staking dashboard and Chrome Extension Wallet version freezing and runtime code sampling

5

Chrome Extension Wallet incident analysis and report, #1; Whitehat hacker engagement and briefing; Victim profile analysis and identification of common traits

3

(Continued); More hacker transaction pattern analysis; 

1

Report appendix; Response team briefing and analysis

3

Chrome Extension Wallet code review: event listener usage and internal API flow

1

FBI initial briefing

2

Meeting with Shashank on 1wallet analysis and planning, Chrome Extension incident, and Tornado Cash tracing

2

More extension code review and analysis (use of local storage and Chrome synced storage, safety of storage usage, research)

2

Report editing; Aggregation of sate police reports; More code review; Internal briefing on law enforcement engagement

1.5

Response team internal briefing; FBI group meeting regarding the incident and formulation of next steps

1.5

Research and analysis on bruteforce difficulty and local storage encryption strength; Hacker tracing discussions

2.5

Research and analysis on Chrome zero-day issues in 2021 and its role and potential impact in the hacks; Hacker wallet and transaction analysis

3

Extension code review, exception handling vulnerability analysis, writeup, and internal discussions with Jenya

4

User agent analysis and discussion; More code review and research on exception handling bulnerability (e.g. potential danger of stack leaking private keys); Simulation of exception under abnormal condition and using debug tools; Internal discussion and writeup

2

(Continued); 

3

Response team briefing; Runtime extension JS code analysis and interaction with localStorage; Internal discussions on risk and vulnerability

1.5

Bridge transaction analysis and gas usage analysis; Internal discussions

7.5

Staking dashboard code review and analysis; internal discussions; Common browsing history analysis tool; Report on common browsing history of victims;

5

Analysis on potential DNS vulnerability on Netlify and Staking Dashboard; Internal writeup and discussions; Analysis on security of extension build process, and recommnedations; Analysis of event queue processing system in extension code; Hypothesis on potential ways of attacks; Internal discussions; Review of potential hacks

2.5

Response team briefing; Validation and Aaalysis of RPC log 

3

More validation and analysis on RPC log; Code review on extension active-tab handling and tab-locking mechanism; Analysis and discussion on potential issues

8

Review and suggestions on incident announcement blog; Heap analysis on memory footprint of private key; Local filesystem analysis, research on extension versioning, event logging, and local filesystem footprint; Fine-grained network traffic analysis and capturing; Frontend fingerprint initial analysis; Internal discussions 

4

More research and analysis on use-after-free vulnerabilities and their potential impact on extension manipulation and private key safety; More network traffic analysis

3

Research and analysis on (1) Chrome flags' effects on extension security (2) tracking the existence of extension log and possible ways of using them

3

Tracking unexpected movement of victim funds (J, DK) and result of suspension mechanisms; Internal discussions and analysis; Research on methods of tracking hackers

3

Further analysis on local storage encryption strength and end-to-end code review; Comparison against MetaMask code and local storage encryption strength; Analysis, report, and internal discussions; Hacking transaction analysis, r,s,v signature analysis and transaction signature's relation to choice of wallets and RPC endpoints

5

(Continued)

3

Research and analysis on new victim's report (J); New questionaire design; Further browser history analysis and pairwise comparisons among existing victims; Internal discussions

9

Victim interview (J) and post-interview analysis with detailed report; Transaction hash and signature recovery / verification and discussions on the discrepencies

4

1wallet QR code parser 

2

Research and analysis on npm dependencies vulnerabilities and automated tools for such analysis

4.5

Responses team briefing; Briefing with Quoc and onboarding; Aggregation and labelling of victim/hacker related addresses and transactions; Discussions and investigations on npm dependencies and potential vulnerabilities; Fingerprint tracking setup and discussions

5

Tracking and analyzing fingerprints in realtime; Cross-checking existing and new-found vulnerabilities with Quoc; Internal discussions; Review and feedback on hacking incident announcement blog; Investigation and analysis on post-incident interactions between victim and people with suspicious behaviors; 

5

Create, configure, and deploy thiefmonitor - server-side application that continously monitor transasctions from any set of addresses, and sending structured email alerts; Fingerprint and ProtonVPN analysis

2.5

Response team briefing and internal discussions; Review of Quoc's initial report on security vulnerabilities in extension wallet

2

Fingerprint tracking and internal discussions and disambigution

4.5

Extension wallet clickjacking and iframe embedding issue reproduction and investigation; Demonstration and further exploitations on the issue; Internal discussion; Sync with Quoc

6

Further analysis and investigation into iframe embedding vulnerability; Analysis of property-getter override vulnerability and scope of impact; Security analysis using runtime (minimized), cross-compiled code; Internal discussions; Further IP tracing and fingerprint tracing

2

Response team briefing; Analysis of IP tracing and linkage of attacks; Analysis of new victim profile (O), browser history, and recent transaction history; Suspect investigation; Extension wallet deprecation planning; Internal discussions

2

(Continued) Suspect investigation and interview with relevant personnel; Chrome extension security expert engagement; Damage mitigation planning and briefing

1

Re-evaluation of staked asset migration plan and internal discussion; 

3

Response team briefing; FBI Sync; Extension code review on miscellaneous areas; Evidence gathering, preparation, and analysis on suspec;

2

(Continued) Tornado cash activity tracing on latest victims; Expansion of fingerprint tracing and IP tracing; More fingerprint analysis

5

Report #2 (Additional Victims, Frontend Tracing, Backend and RPC Tracing, Log Analysis, Suspect Analysis, Background, History, Interview and Evidence)

4

Blacklist log analysis and discussion; IP and fingerprint tracing and analysis; Further extension code review

1

1wallet design review and sync with Darren

2

Response team briefing; Node leader log processing

3

1wallet v15 pre-release notes

0.5

Response team briefing

3

Review and analysis of AnChain report; Internal discussions

1

1wallet QR parser: deduplication; write secrets to separate plaintext files; fix some messages and bugs

2

AnChain sync and report discussions; Response team briefing; New victim interview (MC); Internal discussions

0.5

Response team briefing

1

Response team briefing; New victim analysis and next step recommendations (MC); Formulation of special process for large accounts at risk; Internal discussions

0.5

(Continued) Interview with owners of large accounts at risk

3.5

Review and debug 1wallet #228 (bundle size reduction), #241 (hotfix of missing styles); Fix bug in core processing util (missing array initialization); Increase timeout in response to RPC instability; Utilities for intelligently producing wallet name hints and make use in every place where names are referred; Create wallet component shared functions regarding before/after commit and preparing proofs; Rearrange balance and spend limit components; Spend limit adjustment components; 

6.5

(Continued)

2.5

AnChain sync; Response team briefing; Sync with Quoc; Analysis of possible scammer/imposter and linkage of hacks

6

1wallet: core flow util: deriveSuperOTP; use deriveSuperOTP in RestoreByCodes; fully functional spend limit adjustment component; 

4

abortion mechanism in event message; Core lib: EOTPDerivation; core util: genOTPStr (for efficient debugging when multiple OTPs are required); Add more verbose logging to relayer; use EOTPDerivation in relevant functions; Revamp spending limit prompts and checking mechanisms; fix bug in remaining limit display in balance page; Fix renew-now link

1

better organized renew page

6

fix truffle distinction between dev and ganache; core lib: add sanity check of parameters to makeCore; CoreDisplaced and CoreDisplacementFailed error handlings; use oldInfo's (i.e. previous security parameters / OTP roots on contract) effectiveTime on deriveSuperEOTP; More structured frontend infrastructure utils (useSuperOps, useOpsBase); Fullly functional renewal for v15

6

(Continued) check whether wallet hasSuperOTP; Fix issues with upgrade to v15 wallet; clear otp input only when it is nonempty; Restrict non-v15 wallets from adjusting limits; Blacklist some recovery addresses and make 1wallet DAO their recovery address during upgrade; keep react component loaded during restore to ensure wallet parameters are properly passed; Ensure worker parameter has seed; move debug message to debug mode only; Add innerRoots check on localExport; Add fallback params in Upgrade; Use api.harmony.one RPC by default; improve messages related to emitted events; fix metamask tool; remove Chrome extension wallet from readme; Improve renewal messaging; Fix an issue which may cause multiple workers to be created; 

1

Chrome extension wallet incident response: new victim profile (MN), investigation, internal discussions; Emergency responses; Tornado Cash tracing and matching patterns against known hackers and victims

9

(Continued); 1wallet: Fix some issues which may cause renewal to malfunction or incorrectly make wallet "expired". Fix worker spamming logs; More granular messages and instructions when user access functionalities that require renewed / upgraded wallets; Make upgrade box promptable; Fix a bug in renewal which causes the process to stall; Fix a bug on renewal which old core parameters are used, in lieu of new ones; Implement early terimination to enable much more efficient calls to deriveSuperOTP; Fix zero-valued effectivetime in renewal; 

3

(Continued) Merged and launched v15; fix 6x6 restore failure after a wallet is upgraded and renewed from v14; Full release notes;

2

Deploying v14 and v15 relayers, setting endpoints and system services; Monitor network stability and debug related issues

4

Response team briefing; Victim counselling procedure consultation (MN); Further investigation into fingerprints and transaction patterns, based on new data collected from new victims;

0.5

SecureLayer7 / Cure53 engagement and initial briefing; Internal discussions; 

1

Chrome extension wallet PR 117 review and testing; Sync with Quoc

1

Sync with Anchain; Response team briefing

1

Response team internal discussions and planning

1.5

Engagement with red teams and security firms; Review of all victim and perpetrator addresses, blacklisting states, and movements offunds; 

0.25

Secureworks initial engagement

0.5

Response team briefing

1

MyContainer incident review, analysis, and discussion

1.5

Engagement with private investigators and preliminary exchange of information

3

Report #3 on theft incidents (New Victims, Perpetrator Tracing, Previous Victims, Suspect, Backend Server Log, Frontend Fingerprints, Total Economical Damage); Analysis of linkage between attacks on multiple victims 

1

Response team briefing

0.5

Sync with Sukanta and internal discussions

0.25

Secureworks second and final engagement (not to proceed)

0.5

VueJS injection vulnerability experimentation

0.5

Private investigator initial briefing and preliminary assignment of work

0.5

Response team briefing

0.5

Experimentation with XSS vulnerabilities in Vue; NDA with SecureLayer7 / Cure53

0.5

Analysis of new victim profiles and priorities (unassigned code names)

0.5

Response team briefing

0.5

Discussion Matthew for extension wallet code analysis

0.5

Victim interview and Q&A call (BL)

0.5

Response team briefing

1

Reproduction and verification of Quoc's extension build; Review of private investigator preliminary report

0.5

Response team briefing

0.5

Coalfire initial engagement and scope discussion

0.5

Onboarding Matthew for extension wallet vulnerability investigation

0.5

Victim interview and Q&A call (DD)

0.5

Response team briefing

1

Sync with Silent Auth

1.5

Extension production deployment and hash-verification step-by-step guide; Quick analysis of new victim / incident

1

New hackathon victim interview, analysis, and recommendation; 1wallet - engagement with Meson team (cross-chain stablecoin bridge integration)

3

New victim browser history analysis (BL, DD) and manual inspection of all common sites

1.5

Investigation and analysis of reported suspicious Ethereum trasanction and contract address that invokes Harmony bridge

0.5

Initial engagement with Merkle Science

0.5

Research and feasibility study on amount-matching based Tornado Cash tracing techniques and past success stories

0.5

Response team briefing

0.5

1

Receivng updates from AnChain and discussions of issues and next steps

2.5

1wallet, project document: Use Ethereum NFT on Harmony as Avatar

1.5

(Continued)

1.5

Review and experimentation of Matthew's vulnerability report #1

0.5

Revision on "Use Ethereum NFT on Harmony as Avatar"

1

Sync with Coalfire

0.5

Response team briefing

1.5

Finalization of "Use Ethereum NFT on Harmony as Avatar"

1

Theft case investigation (lead from Binance related activities)

0.5

Malware investigation

1

Anchain finding presentation and discussions

1

Malware analysis and risk review

1

Silent Auth proposal evaluation and feedback

1

Onboarding Michael M and discussions

1.5

Response team briefing; Investigation on new victim (GU); Emergency response

0.5

Response team briefing

0.5

Response team briefing

1.5

Sync with Timeless; Adjustment of 1wallet v14 RPC endpoint; Performance tests and analysis

0.5

Revisiting zero-day and UAE vulnerability; Internal discussions; Victim password strength review and analysis

0.5

Sync with private investigator regarding suspect

0.5

Evaluation of Project X leads

1

Sync with Merkle Science on Tornado Cash findings

0.5

Response team briefing

1

Evaluation of Project X leads (Xoogler Demo Day projects)

1

Project X deal sourcing (Xoogler meetup)

1

Evaluation of Project X prospect DSCAPE, meeting, and internal discussion

0.5

Evaluation of Project X leads

1.5

Joint evaluation of Project X prospect Gryphon; 1wallet design sync with Darren

1

Joint evaluation of Project X prospect C14

1

Sync with FBI (with Merkle Science)

1.5

Preparation and joint evaluation of Project X prospect Protego

1.5

Joint evaluation of Project X prospect Deepwaters

1.5

Project X deal sourcing (Xoogler meetup #2)

1.5

Joint evaluation of Project X prospect HOPR

2

Research and independent evaluation on MetaLoop; Sourcing Project X leads; Analysis on Webacy

1.5

Joint evaluation of HexaTorch

1

Research and offline evaluation on Project X prospect Cytus

2.5

Diligence meeting with Project X investee C14; Research and diligence on C14 thesis

1

Research and technical diligence on Project X investee Deepwaters

2

(Continued)

1

Silent Auth detailed proposal additional feedback and questions

1

Diligence meeting with Deepwaters

0.5

Statement of Work clarification meeting with Coalfire